Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

CVE-2019-0370 Multiple Vulnerabilities in SAP Financial Consolidation, SAP security note 2806403

Description

The SAP security note addresses several vulnerabilities identified in SAP Financial Consolidation. The vulnerability details along with their CVE relevant information can be found below.

1. XPath Injection

The SAP Financial Consolidation legacy web enables malicious users to use crafted input to break out of the data context in which their input appears and to interfere with the structure of the surrounding query.

  • CVE-2019-0370
  • CVSS Score: 5.4; CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Some well Known impact of Xpath injection vulnerability include

  • exploitation of an XPath injection flaw in order to read sensitive application data or to interfere with application logic.

2. Cross Site Scripting

The SAP Financial Consolidation legacy web client does not sufficiently encode user controlled inputs, resulting in a reflected cross-site scripting (XSS) vulnerability.

  • CVE-2019-0369
  • CVSS Score: 5.4; CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Some well-known impacts of XSS vulnerability include

  • non-permanently deface or modify displayed content from a web site
  • steal authentication information of the user, such as data relating to their current session
  • impersonate the user and access all information with the same rights as the target user

Available fix and Supported packages

  • FINANCE | 1000 | 1000
  • FINANCE | 1010 | 1010
  • SBOP FINANCIAL CONS. 10.0 | SP019 | 000010
  • SBOP FINANCIAL CONS. 10.0 | SP020 | 000000
  • SBOP FINANCIAL CONS. 10.1 | SP008 | 000002
  • SBOP FINANCIAL CONS. 10.1 | SP009 | 000000

Affected component

    EPM-BFC-TCL
    Technical Components

CVSS

Score: 5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2806403

TAGS

#BOFC
#BFC
#XPath-Injection
#Reflected-XSS
#&160-CSS
#CVE-2019-0370
#CVE-2019-0369

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.